Online Password Guessing Threat Underestimated

Results from research conducted by security experts in the U.K. and China shows, for the first time, that an overwhelming number of passwords for online account are vulnerable to targeted online guessing.

Credit: Lancaster University

Researchers from Lancaster University in the U.K., and Peking University and Fujian Normal University in China, have created different guessing frameworks that prioritize the order of guessing based on attackers having access to different types of personal information.

The research aims to analyze the vulnerability of online passwords to targeted guessing.

The prioritizing models were tested against 10 large real-world datasets from Chinese and English Internet users. The researchers found the attack models that benefited from multiple pieces of personal information were able to successfully guess the passwords of accounts for more than 73% of normal users, and about a third of security-savvy users with a limit of 100 guesses.

"Our results suggest that the currently used security mechanisms would be largely ineffective against the targeted online guessing threat, and this threat has already become much more damaging than expected," says Lancaster University researcher Jeff Yan. He says the research indicates targeted password guessing is an underestimated threat, as a large number of passwords can be guessed if personal information is known to the attacker.

The research was presented last month at the ACM Conference of Communication and Systems Security (CCS 2016) in Vienna, Austria.